bonjour!
Can’t stop winning.
I wouldn’t be naive enough to believe there’s not a backdoor somewhere in LUKS.
“Naive” doesn’t sit right with me. Anyone can scrutinize LUKS, or BitLocker for that matter (via cryptsetup). Backdoors aren’t the issue here, even for MS Bitlocker. The issue, as stated in the article, is:
by default, BitLocker recovery keys are uploaded to Microsoft’s cloud
No need for a backdoor if you know you can get keys to the front door.
The word “Gave” is really doing some heavy lifting in that title. Microsoft produced the keys in response to a warrant as required by law.
If you don’t want a company, any company, to produce your data when given a warrant then you can’t give the company that data. At all. Ever.
Not fast food joints, not Uber, not YouTube, not even the grocery store.
Yes. But this completely invalidates the encryption. If anyone can decrypt your data without you giving the keys to them, it is not really encrypted.
The encryption key is data, don’t give it to ANYONE. “Two people can keep a secret if one of them is dead.”
Which means it’s useless if always uploaded to MS
You’re confusing two different things here, in a really weirdly obtuse way.
It may seem that way but I’m really not. An encryption key is just data. It’s critical security data to be sure but it’s still data and like other data you shouldn’t share anything that you wouldn’t want made public.
Don’t want MS to cough up your data when asked? Then don’t give it to them. In regards to your BL key that means storing it another way, such as on a jump drive or printing it out.
In the end if you have data of any type that you absolutely DO NOT want made public then you need to retain that data locally. If that means leaving the Microsoft or any other ecosystem then that’s the price that needs paid for keeping your data under your control.
This is the foundation of the entire privacy movement.
No, you really are. If you’re in control of an encryption key, then it’s perfectly fine to “give Microsoft your data” that’s encrypted by that key. An encryption key isn’t “just data”, it’s data that’s used to encrypt other data.
The problem here is not that Microsoft has access to your data, it’s that Microsoft has access to your encryption key.
Its not anyone though. Not anyone can get a warrant and demand the keys
if Microsoft has the power to give the keys to the feds what happens when Microsoft gets hacked?
or they give the keys or whatever data willingly, and then say they are hacked as an excuse.
Wouldn’t the hacker then need to track down your physical computer…steal it…use the bitlocker key…look to see if you actually have any data worth taking etc…?
Anyone as in “a single person”. They don’t mean everyone has access.
Sure. It’s not anyone. It’s anyone that can get a warrant. Or anyone that have enough power/underhanded influence to ask them nicely. Or any admin that have access to cloud storage at MS (remember they where caught with some exec having full access to that a while ago). Or any big leak that could exfiltrate these data. And probably a handful of other people, like, someone getting access to your MS account for whatever reason (which kinda happen, seeing how people lose their mail account to phishing/scams all the time) suddenly having access to your keys from there.
If your keys are in a DB somewhere, there’s a lot of way they could get out. Would these ways coincide with someone actually having your drive at hand? Probably not. Still, the key not existing in plaintext in some third party storage close all these holes.
Anyone included Microsoft. You’re thinking of the word “everyone”
If you can’t possess the keys, you can’t give them when there’s a warrant. Microsoft designed a system that could obtain and decrypt those keys on purpose.
I’m certainly not a microslop supporter, but…
They designed a system that recommended that the average user use full disk encryption as part of device setup, and then provided a way that Grandma could easily recover her family photos when she set it up with their cloud.
This was built by an engineer trying to prevent a foreseeable issue. The intent was not malicious. The intent was to get more people more secure by default, since random hacker couldn’t compell ms to give them keys, while still allowing low tech literacy people to not get fucked.
It’s been a while since I installed a new Windows OS, but I’m pretty sure it prompts you to allow uploading your bitlocker key. It probably defaults to yes, but I doubt you can’t say no, or reset the key post onboarding if you want the privacy, and now it’s on you to record your key. You do have to have some technical understanding of the process, though, which is true of just about everything.
That all said, if a company has your data, it can be demanded by the government. This is a cautionary tale about keeping your secrets secret. Don’t put them in GitHub, don’t put them in Chrome, don’t put them online anywhere because the Internet never forgets.
They’re doing this because there’s demand (with actually, non malicious genuine needs), and the feature is clearly advertised AFAIK.
It’s not some evil conspiracy. Microsoft does enough shitty things without us needing to blame them for their users’ shitty OpSec.
Here’s Microsoft’s overview page of bitlocker. Show me where it clearly says they can decrypt your drive.
https://support.microsoft.com/en-us/windows/bitlocker-overview-44c0c61c-989d-4a69-8822-b95cd49b1bbf
Not true with E2EE, they can’t give over shit when they don’t have the keys
Bitlocker is computer drive encryption. On W11 it’s supposed to be tied to the motherboards TPM. End to end encryption is not really applicable in this scenario. That phrase is more applicable to cloud services or storage where a telecom or CSP hosts or transports your data but can’t see what the data is.
Microsoft should not have the keys to decrypt Bitlocker ever.
Ofc its not applicable in that once scenario
Microsoft should not have the keys to decrypt Bitlocker ever.
Windows is a closed source and proprietary commercial Operating System. Microsoft is going to do whatever they like with it. If enough people get angry about an issue they may change their mind but that doesn’t change the nature of Microsoft’s ownership over their products.
I’ve been participating in discussion about what Microsoft should and shouldn’t do since the late 80s and it pretty much boils down to this: You need to select and use software that works the way you want it to. So if you don’t want MS to have your disk encryption key then don’t use Windows. If you don’t want MS to have access to your documents then don’t put them on any system that MS has control over.
It can be terrible inconvenient to protect your data in this way but this part and parcel of the privacy movement.
Linux. LUKS it yourself or it isn’t really encrypted.
What does Microsoft think the fucking point of encryption is? Do they think I am encrypting my data to protect it from my dog?
As someone who used windows for way too long: they just simply don’t give a shit. Like at all
If you’re not the only one with the keys, is it really encrypted?
i saw your dog using arch linux
Don’t be silly, the dog uses Puppy Linux.
Mines uses Yellow Dog Linux.
btw……
Why do you think the encryption capabilities on your PC are there for your sake? They might have sold them to you on that, but they are really there to protect copyright data because TPM allows encryption/decryption that is completely hidden from the rest of your system. Like an encrypted handshake that then transfers an encrypted key to decrypt the video stream. But it doesn’t save the decrypted data, it immediately re-encrypts it using your display’s private key (or whatever device is next in the chain, maybe your GPU). They can make it so that the unencrypted stream never touches your RAM or travels on any wire, which means you can’t pirate shows as you watch them unless you point a camera at your screen.
Obviously if they just said that was one of the main points, no one would want it and media companies couldn’t benefit from it because they’d have to compromise to sell content.
The other point was so that they could build a system where they hold the encryption keys and get to choose whose data is actually private. Obviously that’s an even harder sell.
So they did what marketers always do and lied by omission about what it was for and just outright lied if they ever said they’d never give the keys to law enforcement (did they ever even say that?).
Let go of the idea that someone selling something to you implies any kind of loyalty, especially when either party is a large corporation.
deleted by creator
Just use Linux.
I’ve read someone blabbering how BitLocker is better than FDE on Linux or BSDs just recently. I didn’t do fact checking, but honestly just uploading keys to MS wasn’t something I expected even from them.
Not even from the company that tried to provide you with windows recall? 🤣
BitLocker is older.
It’s a product of Vista-era Microsoft which is also current Windows-Recall-era Microsoft.
What a slap to the faces of everyone who had been locked out of their data because they never knew about this crap and thus never saved their keys
Except their keys were saved but microsoft deemed that they cant “prove ownership” of the microsoft account, because they lack the credentials…
A single bitter, crowing “hah!” at whoever thought there wasn’t at least this much overlap between our corporate and government masters. Welcome to hell kid, shoutout to whatever’s being trained on the last ~30 years of everything that touched the internet in the NSA’s Utah data center. Rose coloured PRISM though, I dream of the day when someone makes those search tools public and I can reminisce through my preteen MSN Messenger convos
People called me paranoid when I said this would happen someday…
if theres money to be made it will happen one day
BitLocker? More like ShitLocker.
Wasn’t this by design? Otherwise why keeping the decryption keys on servers located in the united states’?
BitLocker provides for a recovery key. This is to allow someone to regain access to an encrypted device in the event that they lose their PIN, any one of these scenarios happen, OR when suspects do not want to cooperate with LEOs.
Find your BitLocker recovery key
If the target device is part of an enterprise and managed with EntraId/Intune this is the option. Escrowed keys.
Why is anyone surprised by this? And what kind of imbecile commits crimes and uses windows? 🤣
Not just that but also uploads a copy of the key to their Microsoft Account…
Many modern Windows computers rely on full-disk encryption, called BitLocker, which is enabled by default. This type of technology should prevent anyone except the device owner from accessing the data if the computer is locked and powered off. But, by default, BitLocker recovery keys are uploaded to Microsoft’s cloud, allowing the tech giant — and by extension law enforcement — to access them and use them to decrypt drives encrypted with BitLocker, as with the case reported by Forbes.
uploads a copy of the key to their Microsoft Account
Microsoft added that feature because people kept losing their encryption keys and thus losing all their files if they need to have their computer replaced. They get complaints either way - privacy advocates complain when the key is backed up, and sysadmins/users complain when the key isn’t backed up.
I think in cases like this, I’d rather the responsibility of burden be shifted towards individuals with autonomy than to large corporations. But I suppose in that case (reductionism warning) people might as well just use Linux.
Didn’t Osama bin Laden use Windows? 😂
Now I’m curious about that, haha!
After Bin Laden was killed, the CIA released the contents of his hard drive. Index can be found here. Search for “Windows” and you’ll find multiple system files, drivers, etc.
Remember when Truecrypt got suspiciously terminated? That was the goal
I wonder if it’s actually safe or if it’s just a CIA honeypot.
They’ve fixed Truecrypt vulnerabilities uncovered by previous audits, and have themselves been audited at least twice
Edit: some highlights on the latest audits and their response.
Microsoft only has your key if you give it to them for convenience (by syncing to your Microsoft account), and they’re required by law to give anything stored in their servers if asked. There’s no conspiracy here.
Microsoft railroads you into this. Your Bitlocker key will get exfiltrated unless you do a bunch of bullshit to make sure it isn’t.
And that’s the thing with Microsoft, they just keep doing this everywhere in Windows. There is and endless torrent of shit to turn off. No reasonable person will keep on top of it. And if you fuck up a singular time, they just vacuum everything.
Well, you obviously have never used BitLocker. The first thing they ask you when you activate BitLocker is to pick one of 3 options:
-
Link to Microsoft Account.
-
Save to a File
-
Print Recovery Key (so you can write it down on a piece of paper or whatever)
There’s no “railroading”. There’s plenty of real things to not like Microsoft. No need to make them up.
-
Is anyone shocked by this? With everything that DHS, FBI, ICE, military, elected representatives, etc. are all doing without any concern or care for laws, civil rights, human rights, the Constitution, this should not be a shock to anyone. Corporations are bending over backwards to appease the talking orange and make more money. They do not care as long as profits are up and the shareholders are happy. A companies primary legal responsibility is to the shareholders, not the customers.
+100. People forget, or chose not to pay attention to the fact that Google sensor vault data was key evidence in convicting the January 6 insurrectionists (who were exonerated to become ICE). Surveillance capitalism doesn’t care which side you are on.
Small correction. They were not exonerated. They were pardoned. A pardon implicitly means guilt. Exonerated means their conviction was overturned.
Agreed. Wrong word choice. And its an important, major correction. Not a small one. :-)
